dash.

training

notes | pki fundamentals link list

Links from my ‘PKI Fundamentals’ training, available for delivery as corporate training or for individuals at authorized Microsoft Learning partners.

Please report broken links.

Introduction to Cryptography

• Cryptanalysis on Wikipedia

Algorithms

• Sunsetting SHA-1 (kind of an old already in 2024)
• SHA-256 Compatibility — SHA-256 Compatibility
• Disk encryption theory - Wikipedia
• Good example of ECB (Electronic Codebook) encryption, more on it here The ECB Penguin
• Tweakable Block Ciphers
• Bitlocker: AES-XTS (new encryption type)
• You Don’t Want XTS

OIDs

• Show an OID at IANA then type 53698

• [IANA

  Request Private Enterprise Numbers](http://pen.iana.org/pen/PenApplication.page)

• OIDs for Microsoft Cryptography

ASN.1

• [ASN.1 Editor

  PKI Solutions](https://www.pkisolutions.com/tools/asn1editor/)

Getting Started with CAs

External CAs

• SSL certificates at Comodo

• [Microsoft Trusted Root Certificate Program Audit Requirements

  Microsoft Learn — Microsoft Trusted Root Certificate Program](https://social.technet.microsoft.com/wiki/contents/articles/31635.microsoft-trusted-root-certificate-program-audit-requirements.aspx)

• free code signing for Open Source Software
• cheap code signing for Open Source Software
• Example of terminated trust
• Example of terminated trust

Active Directory Certificate Services

• Active Directory Certificate Services (AD CS) Public Key Infrastructure (PKI) Design Guide kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429)
• Commands for AD CS setup on Windows Server Core
• Lab Guide: Installing a Two-Tier AD CS
• Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy
• AD CS common issues
• KB5005413: Mitigating NTLM Relay Attacks on AD CS
• What is a strong key protection in Windows? - Sysadmins LV — Much more about this:
• Activating the Strong Private Key Protection
• Force strong key protection for user keys stored on the computer
• Windows FIPS 140 validation FIPS compliant algorithms for encryption, hashing, and signing Federal Information Processing Standard (FIPS) 140-2 is a security implementation that is designed for certifying cryptographic software. This setting has a lot of impact, not all of it good.
• AD CS Security Guidance
• Install and Configure Certificate Enrolment Policy Web Service
• TameMyCerts policy module for Microsoft Active Directory Certificate Services
• Sleepw4lker/TameMyCerts: Policy Module for Microsoft Active Directory Certificate Services on GitHub
• GhostPack/PSPKIAudit: PowerShell toolkit for AD CS auditing based on the PSPKI toolkit. — PSPKIAudit on GitHub
• certutil — PKI Health Tool, Certutil

PowerShell automation

• [PSPKI

  PKI Solutions — PSPKI](https://www.pkisolutions.com/tools/pspki/)

• Approve-CertificateRequest with PSPKI
• Backup-CARoleService

HSMs

• Certification Authority Guidance Planning Key Storage, Hardware Security Module (HSM)
• Azure Cloud HSM Onboarding Guide
• Azure Cloud HSM Integration Guide
• Key storage provider (KSP) for AWS CloudHSM Client SDK 5 - AWS CloudHSM — AWS CloudHSM
• SoftHSM v2 for Windows

Online Responders

• Manually verify a certificate against an OCSP with OpenSSL

NDES

• Linuz Certificate Enrollment and Automated Renewal Using NDES

OpenSSL

• Download and install OpenSSL Light with winget

Practical Applications

Web Servers

• Nartac Software IIS Crypto for setting cipher suites on IIS
• SSL Server Test test which cipher suite is being used(Powered by Qualys SSL Labs)
• Hardenize comprehensive web site configuration test
• CAA Records devined by DNS Simple
• CAA Records Certificate Authority Authentication defined by Let’s Encrypt
• CAA Record Generator Construct a CAA record
• DNS Propagation Checker Global DNS Testing Tool — Check proppegation of your DNS records to troubleshoot CAA visibility
• HSTS Preload List Submission
• Certificate and Public Key Pinning
• Red Sift Proactive certificate expiry notification

Smart Cards

• Drivers for the Gemalto cards
• Setting up Certificate Templates to Enroll on behalf of other Users

• [Enabling smart card logon - Windows Server

  Microsoft Learn — Logon with certs from 3rd-party Cas](https://support.microsoft.com/en-us/help/281245/guidelines-for-enabling-smart-card-logon-with-third-party-certificatio)

• Virtual Smart Cards
• Get Started with Virtual Smart Cards - Walkthrough Guide

PowerShell Remoting

• Enable secure Windows/Powershell Remoting over https

Disk encryption

• How to Make BitLocker Use 256-bit AES Encryption Instead of 128-bit AES

Code signing

• [SignTool - Win32 apps

  Microsoft Learn — Sign Tool documentation here:](https://docs.microsoft.com/en-us/windows/win32/seccrypto/signtool)

• SSL certificates inside Java apps
• Java Code Signer

DNS SEC

• DNSViz visualization for “lab.graydaycafe.com”
• DNSSEC Debugger

Timestamps

• Time Stamp Server & Stamping Protocols
• Free Time Stamp Authority

Other applications

• What is Strict KDC Validation? by Ammar Hasayen
• Enabling Strict KDC Validation in Windows Kerberos
• Authenticate with X.509 certificates — Azure IoT
• Device Guard
• Encrypted SQL Server Connections
• Using Certificates in Azure SQL Database

Further reading

• Trustless transaction verification (watch on YouTube)
• Post-quantum Cryptography